06-27-2012 01:43 PM - edited 03-07-2019 07:30 AM
Cisco COmmunity:
In the below setup the CISCO 2600 router is not synchronizing with external NTP server
PLease help
John
Setup:
INTERNET ISP router ======CISCO ASA5505(10.1.1.2)======fa0/1CISCO 2600fa0/0=====Users
The goal is to synchronize the 2600 with an External NTP server. The ASA is already synchronized after using just these commands:
clock timezone UTC -6
ntp server 38.106.177.10
ON THE 2600 router I get these outputs after 3 hours:
RTR#sh ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is 00000000.00000000 (18:00:00.000 CST Thu Dec 31 1899)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec
RTR#sh ntp association
address ref clock st when poll reach delay offset disp
~38.106.177.10 0.0.0.0 16 - 64 0 0.0 0.00 16000.
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
RTR# debug ntp packet
*Apr 3 18:28:01.065: NTP: xmit packet to 38.106.177.10:
*Apr 3 18:28:01.065: leap 3, mode 3, version 3, stratum 0, ppoll 64
*Apr 3 18:28:01.065: rtdel 0000 (0.000), rtdsp 10001 (1000.015), refid 00000000 (0.0.0.0)
*Apr 3 18:28:01.065: ref 00000000.00000000 (18:00:00.000 CST Thu Dec 31 1899)
*Apr 3 18:28:01.065: org 00000000.00000000 (18:00:00.000 CST Thu Dec 31 1899)
*Apr 3 18:28:01.065: rec 00000000.00000000 (18:00:00.000 CST Thu Dec 31 1899)
*Apr 3 18:28:01.065: xmt AF68AA11.10C7B7FB (18:28:01.065 CST Sat Apr 3 1993)
Configuration
RTR#sh run
Building configuration...
Current configuration : 1853 bytes
!
version 12.2
service timestamps debug datetime msec localtime
service timestamps log datetime msec
service password-encryption
!
hostname RTR
!
!
clock timezone CST -6
clock summer-time CDT recurring
ip subnet-zero
!
!
ip domain-name domain.com
ip name-server 10.250.100.1
!
!
!
!
interface FastEthernet0/0
ip address 10.250.1.113 255.255.0.0
no ip proxy-arp
ip route-cache flow
speed auto
full-duplex
!
interface FastEthernet0/1
ip address 10.1.1.1 255.255.0.0
duplex auto
speed auto
!
!
ip flow-export destination 10.250.100.60 2055
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.2
ip route 10.210.0.0 255.255.0.0 10.250.1.111
ip route 10.220.2.0 255.255.255.0 10.250.1.111
ip route 10.230.0.0 255.255.0.0 10.250.1.111
ip route 10.231.0.0 255.255.0.0 10.250.1.111
ip route 10.240.0.0 255.255.0.0 10.250.1.111
ip route 10.241.0.0 255.255.0.0 10.250.1.111
ip route 10.242.0.0 255.255.0.0 10.250.1.111
ip route 172.16.0.0 255.255.0.0 10.250.1.112
ip route 172.30.1.0 255.255.255.0 10.1.1.2
ip route 192.168.3.0 255.255.255.0 10.250.1.111
ip route 192.168.4.0 255.255.255.0 10.250.1.111
ip route 192.168.100.0 255.255.255.0 10.250.1.111
ip http server
!
!
line con 0
line aux 0
line vty 0 4
password xxxxxxx
login
!
ntp source FastEthernet0/1
ntp server 38.106.177.10
end
06-27-2012 02:25 PM
Is this router in front of your ASA or behind your ASA? You may have to set the clock manually on the 2600 a little closer to the real time. If NTP is way off, the synchronization may not happen at all.
HTH,
John
06-27-2012 02:35 PM
The router is behind the ASA. I tried to show that in the text diagram in my question.
06-27-2012 02:38 PM
Ah...
Do you have an acl on your inside interface on the ASA? If so, you'll need to allow udp 123 through for ntp traffic.
I completely missed the diagram
HTH,
John
06-27-2012 02:46 PM
No ACLs on inside interface. Why would the ASA itself communicates with external NTP without being explicitely allowed.? I assume because traffic coming from behind Inside to Outside is allowed.
Thanks
John
06-27-2012 02:58 PM
That's correct. The ASA can communicate with the NTP server because it's locally generated traffic. The router on the other hand has to go through the ASA to get to it. If you don't have any acls on the inside interface, the traffic originating from the inside is automatically allowed out. Can you post your config for the ASA by chance?
06-27-2012 03:18 PM
j.blakley thanks for your reply. Here is is the ASA config:
ASA Version 8.2(1)
!
hostname ASAdct5505
domain-name default.domain.invalid
names
interface Vlan1
nameif inside
security-level 100
allow-ssc-mgmt
ip address 10.1.1.2 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address X.X.X.X 255.255.255.240
!
interface Vlan3
description DMZ
nameif DMZ
security-level 50
ip address 172.30.1.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner login Only for authorized users . PLease disconnect if you are not one.
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone UTC -6
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface
object-group network obj_172.22.7.0
network-object 172.22.7.0 255.255.255.0
access-list from_outside extended permit tcp any host 12.156.156.211 eq 3389
access-list from_outside extended permit tcp any host 12.156.156.212 eq 3389
access-list DMZ_in extended permit ip 172.30.1.0 255.255.255.0 10.0.0.0 255.0.0.
access-list DMZ_in extended permit tcp 172.30.1.0 255.255.255.0 any eq www
access-list DMZ_in extended permit tcp 172.30.1.0 255.255.255.0 any eq https
access-list DMZ_in extended permit udp 172.30.1.0 255.255.255.0 any eq domain
pager lines 24
logging enable
logging buffer-size 1000000
logging monitor debugging
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (DMZ) 1 172.30.1.2-172.30.1.200
nat (inside) 1 10.250.0.0 255.255.0.0
nat (outside) 1 10.250.2.0 255.255.255.0
nat (DMZ) 1 172.30.0.0 255.255.0.0
static (inside,DMZ) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
access-group from_outside in interface outside
access-group DMZ_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
route inside 10.0.0.0 255.0.0.0 10.1.1.1 1
route inside 172.16.0.0 255.255.0.0 10.1.1.1 1
route inside 192.168.0.0 255.255.0.0 10.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.250.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec transform-set 3DES-SHA-HMAC esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 38.106.177.10
tftp-server inside 10.250.1.10 /asacurrentconfig.txt
webvpn
svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
: end
06-27-2012 02:29 PM
Hi,
can you successful ping the NTP server from ur router?
Soroush.
06-27-2012 02:38 PM
I can ping the NTP server from ASA but not from 2600 router. I cannot see how the ASA could be blocking NTP traffic if the ASA itself communicates with the same NTP server just fine
Thanks
john
06-27-2012 02:45 PM
the traffic which is originated from the device itself, and the traffic passing through the device are two different stories.
if it thats just the NTP traffic that you have the difficulty passing through ASA make an exception and let it pass, the Source and Destination (for both ways RX/TX) is known, specific config.
plz Rate if it helped,
Soroush.
06-27-2012 03:13 PM
Have you tried other NTP servers?
Look for your local NTP server from the link Stratum Two Time Servers.
06-27-2012 03:23 PM
Yes I have
from this Page
06-29-2012 06:10 PM
Sorry, I didn't make myself clear here ... Can you ADD more NTP server addresses to your config and try so the appliance can do a round-robin?
06-27-2012 05:21 PM
Have you tried setting up captures on your ASA to see if its getting to the inside interface on the ASA. You can then setup a capture inbound on the outside interface to see if its responding. If the NTP server is not responding then that's not on you. I would try to verify traffic from Traffic Initiator to Traffic Destination and back to Traffic Initiator.
06-27-2012 09:51 PM
On my router 2901 my command is
ntp server 10.1.1.7 prefer
I don't have anything about ntp source fa 0/1. One other option is get time from the Asa.
Sent from Cisco Technical Support iPhone App
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: